Database Security 


Objectives 


e Discuss database elements 
e Explain database access control 
e Understand how database security is threatened 


What Is a database? 


«A database is a structured collection of data that is 
accessed by one or more applications 


e Databases are usually stored relationally, meaning that 
items are linked to each other 
e For example: 
e Student Data - name, birthday, student id, address 


e Healthcare Data - name, birthday, patient id, address, doctor, 
date of visit 


e Website Data - name, username, password, email, secret 
questions 


Database elements 


e Most databases are relational 
e Columns are used for particular type of data. Name for example 
e Rows are unique values for a primary key 
e Elements include 
e Primary key - example: student id 
e Foreign key - example: major 
Language 
e SQL 
e DBMS - Database Management System 
e Consists of database, users, tools to manipulate data 


Database Access Control 


e Most SQL languages and programs give 2 types of 
access 
e Grant 
e Revoke 


e Rights can include: 
e Select 
e Insert 
e Delete/Drop 
e Update 


Database Access Control - RBAC 


e Role based access control is used to increase security 


Can be much more granular than “Read, Write, Execute 
rights 


e Can be put on almost anything 


e Examples: 
e Database owner 
e Administrator 
e System Administrator 
e End User 
e Report Service 
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Understanding why databases are 
Important 


e Organizations live off databases 
e Customer data 

e Financial data 

e Security data 


Threats 


e SQL injection 
e Goal is to extract information from database 
e One of the most common types of attack 
e Exploited through insecure web applications 


e If application has permissions, attacker can do nearly anything they want, 
including deleting or modifying data 


e Inference 
e Attacker can use queries to “infer” database structure or content 
e Occurs when too much access is given to a user 

e Encryption 
e Database encryption is usually not performed 


e Attacker may be able to grab unencrypted data if encryption is not performed 
e Encryption becomes essential to secure data 


